1 Project 2: Web App Security Collin Jackson CS 155 Spring 2007

2 Part 1 Attacks

3 Overview Explore several attack types Requires both effectiveness and stealth Learn: How an attacker can evade sanitization Consequences of an exploit JavaScript Very basic CSS

4 A: Cookie Theft Use URL encoding Could hijack session C: Password Theft Evade sanitization Handle DOM events Attacks B: Request Forgery Navigate browser Use iframes, forms D: Profile Worm Persistent attack Replicates zoobar.org link zoobar.org form badguy.com stanford.edu redirect badguy.com zoobar.org form zoobar.org

5 Sanitization Works differently depending on context Attack: Break out with ' " Defense: escape quotes with \ attackstring Attack: Launch script with Attack: Close off parent tag Defense: escape angle brackets eval( attackstring ) Attack: Do whatever you want Defense: Don’t do that

6 Example: Profile Deleter Malicious hyperlink deletes profile of user who clicks it Only works when user logged in User might have multiple tabs open Might have chosen/forgotten not to log out Might appear in another user’s profile Uses vulnerability in users.php from Attack A Constructs profile deletion form and submits it ???

7 Find vulnerability Site reflects query parameter in input field Link can include anything we want here

8 Copy form data View source to find form fields Create copycat form with our modifications

9 Close previous, Button click triggers form submit URL encode

10 Debugging Check error It didn’t work. Open JavaScript console Undefined  No properties! Two forms with same name

11 Now with correct form Fixed version

12 Profile deleted Final Test users.php replaced with index.php %0D%20%20action%3D%22%2Findex%2Ephp%22%3E%0D%3Ctextarea%20name%3D%22profile%5Fupdate%22%3E%3C% 2Ftextarea%3E%3Cbr%2F%3E%0D%3Cinput%20type%3Dsubmit%20name%3D%22profile%5Fsubmit%22%20value%3D%22 Save%20Profile%22%3E%3C%2Fform%3E%0D%3Cscript%3Edocument%2Eforms%5B1%5D%2Eprofile%5Fsubmit%2Eclick%28 %29%3C%2Fscript%3E

13 Post form into hidden iframe … Open page with form in hidden iframe … document.myframe.contentDocument.forms[0].profile_update.value =“”; Stealthier approaches

14 Part 2 Defenses

15 Goals Learn: How easy it is to make mistakes That even simple code can be hard to secure Techniques for appropriate input validation PHP Very basic SQL Little programming knowledge can be a dangerous thing

16 File structure index.php users.php transfer.php login.php includes/ auth.php (cookie authentication) common.php (includes everything else) navigation.php (site template) db/ zoobar/  Person.txt (must be writable by web server) Includes /usr/class/cs155/projects/pp2/txt-db-api/… Only edit these files

17 txt-db-api Third-party text file database library Data can be int, string, and autoincrement Need to escape strings: \' \" \\ Actually magic_quotes_gpc does this for us $recipient = $_POST[‘recipient’]; // already escaped $sql = "SELECT PersonID FROM Person WHERE Username='$recipient'"; $rs = $db->executeQuery($sql); if( $rs->next() ) $id = $rs->getCurrentValueByName(‘PersonID’);

18 A: Cookie Theft C: Password Theft Defenses to Part 1 B: Request Forgery Attack D: Profile Worm

19 PHP Sanitization Techniques addslashes(string) Prepends backslash to ' " \ Already done by magic_quotes_gpc Inverse: stripslashes(string) htmlspecialchars(string [, quote_style]) Converts & " to HTML entities Use ENT_QUOTES to change ' to ' strip_tags(string, [, allowable_tags]) Max tag length 1024 Does not sanitize tag properties preg_replace(pattern, replacement, subject) More info:

20 More XSS hunting Look for untrusted input used as output Note sanitization already applied to each variable Form data has magic_quotes_gpc, db data does not Sanitize the output if necessary No penalty for erring on the side of caution But sanitizing multiple times may lead to problems No credit for solving non-goals: SQL injection, etc.

21 Good luck!